Getting Rewarded

Earning Cash Rewards

If a program offers cash rewards, it means that they are willing to pay you for a valid bug. A valid bug is a security vulnerability that is in scope as per the bounty brief and can be reproduced by the triaging Application Security Engineer (ASE) or Program Owner.

To qualify for a cash reward, you must be the first Researcher to report the vulnerability. It cannot be a duplicate of a report someone else has already reported or a known issue which has been imported by the Program Owner.

You will know your submission has been accepted as valid when its status changes from Triaged to Unresolved. When this happens, the Program Owner will reward your submission. You will receive an e-mail notification that your submission has been accepted and you have been rewarded for your efforts.

The Program Owner sets the reward amount with Bugcrowd’s input. It is typically based on the current market rate for the priority assigned to the submission and the impact of the submission for the business. This rate varies, but generally, vulnerabilities with a higher priority rating are rewarded more.

Rewards vary by program.

If you have questions about rewards, send an email to

Earning Kudos Points for Valid Bugs

You are rewarded points for each valid accepted report. You must be the first person to report the bug to earn all possible points.

Each bug is rated on a priority scale of P1 - P5 according to Bugcrowd’s VRT, with points rewarded accordingly:

Priority Level Points Earned
P1 Critical 40 points
P2 High 20 points
P3 Moderate 10 points
P4 Low 5 points
P5 Non-exploitable weaknesses 0 points

Earning Points for Duplicate Bugs

Points are also rewarded for duplicate submissions based on its severity. Points are rewarded for a duplicate submission when the original bug is accepted by the Program Owner.

Priority Level Points Earned
P1 Critical 10 points
P2 High 5 points
P3 Moderate 0 points
P4 Low 0 points
P5 Non-exploitable weaknesses 0 points

If you have questions about points, send an email to

For more detailed information about the prioritization of a vulnerability, see Bugcrowd VRT.

Account Management
Program Management
Submission Management
Receiving Rewards